Encrypting Si3 Deduplication Store

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Si3 encryption for Si3 deduplication store is one of the SEP sesam encryption types (also available are software-based and LTO encryption), introduced in v. 4.4.3 Tigon. SEP sesam provides encryption for Si3 deduplication to help ensure compliance with data protection legislation.

The administrator must create the deduplication security encryption key, which should only be known to the SEP sesam Server. If the encryption key is not available, the Si3 encrypted data cannot be read.

Configuring Si3 encryption

Si3 data encryption is set by creating a deduplication security password file that contains only the password. This file must then be specified in the relevant drive properties. The operating systems's own file protection services (file system permissions, encrypted file system) must be used to ensure that only the administrator and SEP sesam software can access the password file. For this, a special user running the SEP sesam service must have access to the password file.

If an incorrect password is used, the Si3 data store terminates immediately after checking the password.

After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later by using the command gc recreate all as shown below. Such subsequent encryption can take a long time depending on the occupancy level of the data store (check the size of the occupied data store space – the Filled parameter).

sm_dedup_interface -d <drive_number> gc recreate all

Example:

Steps

Create a password file that contains only the password. For example: C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass.

Select the preconfigured Si3 deduplication store and double-click it to open the properties.

Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.

Under Options, specify the deduplication security password file you created before. The path to the password file must be specified with slashes, backslashes must not be used. For example:dedup.security.passwdfile="C:/ProgramData/SEPsesam/var/ini/stpd_conf/my_dedup_store.pass".
Click OK to configure Si3 encryption. After enabling encryption, only the newly added data is encrypted. Existing data remains unencrypted by default, but can be encrypted later with the gc recreate all.

Si3 is then restarted. You can use the sm_dedup_interface to check the encryption status.

As of SEP sesam v. 4.4.3 Grolar, you can also check the encryption status under the data store properties, by clicking the Si3 State tab.

Changing encryption password (≥ 4.4.3 Grolar)

As of v. 4.4.3 Grolar, it is possible to change an encryption password if the encryption status is successful (Encryption process status: OK). By setting up a new encryption password, first the data is decrypted with the previous password and then encrypted again with a new password. The re-encryption is only allowed if the encryption status is as follows: Encryption process status: One password for all DDLs.

Steps

Select the preconfigured Si3 deduplication store and double-click it to open the properties.

Under the Data Store properties, double-click the first drive of the Si3 deduplication store. The Drive Properties window opens.

Under Encryption Password, specify a new encryption password and repeat it.

Click OK to set up new encryption password.

Encryption behavior during SDS replication

The Si3 encryption is implemented in the file system read-write method. As a consequence, the internal processing works with the raw data.
When replicating an encrypted store, the data is not transferred to the RDS in the encrypted state. The data is first decrypted on the source Si3 and then re-encrypted on the target Si3.
To guarantee absolute security during replication from source Si3 to target Si3, a secure VPN connection must be used for communication.